OverTheWire Bandit: Level 20 to Level 21
The Goal
A setuid binary called suconnect connects to a port on localhost. If it receives the correct password for bandit20, it sends back bandit21’s password. The challenge: you need a listener running and ready before suconnect connects to it — both things have to happen at the same time in one terminal.
What I Did
Listed the home directory and ran the binary without arguments:
1
2
3
4
bandit20@bandit:~$ ./suconnect
Usage: ./suconnect <portnumber>
This program will connect to the given port on localhost using TCP.
If it receives the correct password from the other side, the next password is transmitted back.
Confirmed it was setuid:
1
2
bandit20@bandit:~$ ls -l suconnect
-rwsr-x--- 1 bandit21 bandit20 15604 Jun 24 14:59 suconnect
Owned by bandit21 with the setuid bit set — it runs as bandit21, which means it can read /etc/bandit_pass/bandit21.
Setting Up the Listener with Job Control
Started netcat as a listener in the background using &:
1
2
nc -l -p 1234 &
[1] 538
This put nc in the background. The [1] is the job number. The terminal returned immediately, ready for the next command.
Ran suconnect also in the background:
1
2
./suconnect 1234 &
[2] 548
Brought the nc listener to the foreground so I could type into it:
1
2
fg %1
nc -l -p 1234
Typed the bandit20 password:
1
2
3
4
5
4pIjcunZ0fK2vmp3IwfG8Vf7VhxD6pOA
Read: 4pIjcunZ0fK2vmp3IwfG8Vf7VhxD6pOA
Password matches, sending next password
bW9kBv5WC3P4yoDyf12LSdGuNz5ka6hY
[2] Done ./suconnect 1234
How Job Control Works
Linux job control lets you manage multiple processes within a single terminal session:
| Command | What it does |
|---|---|
command & | Starts a command in the background immediately |
Ctrl+Z | Suspends (pauses) the current foreground process |
bg | Resumes a suspended process in the background |
fg | Brings a background or suspended process to the foreground |
jobs | Lists all background and suspended jobs |
fg %1 | Brings job number 1 specifically to the foreground |
The flow in this level:
- Start nc listener in background with
& - Start suconnect in background with
& - Bring nc to the foreground with
fg %1 - Type the password — nc sends it to suconnect
- suconnect validates it and sends back the next password
Alternative Methods
Piping the password directly into nc:
1
2
echo "4pIjcunZ0fK2vmp3IwfG8Vf7VhxD6pOA" | nc -l -p 1234 &
./suconnect 1234
This pipes the password into nc before it starts listening, so when suconnect connects, nc automatically sends the password without needing interactive input.
Using tmux:
1
tmux
Split the terminal into two panes with Ctrl+B then %. Run the listener in one pane and suconnect in the other. No job control needed — each pane is an independent shell.
Using screen:
1
screen
Create two windows with Ctrl+A then c. Switch between them with Ctrl+A then n. Same idea as tmux but older interface.
What I Learned
Job control is essential for running multiple things in one terminal. The & operator is the most commonly used — it lets you start a background process and immediately get your prompt back.
fg %n specifies which job to bring forward. Without the number, fg brings the most recent job. With %1 you control exactly which one.
Netcat in listener mode waits for a connection. nc -l -p PORT sits waiting until something connects. Once a connection arrives and the session ends, it exits. Use -k to keep listening for multiple connections.
tmux and screen solve the same problem differently. Job control uses one shell and switches between processes. tmux and screen give you genuinely separate shells running simultaneously — more flexible, especially over SSH where you might lose connection and want sessions to survive.
Commands Used
| Command | What it did |
|---|---|
nc -l -p 1234 & | Started netcat listener on port 1234 in background |
./suconnect 1234 & | Started suconnect in background |
fg %1 | Brought nc to foreground to type the password |
jobs | Checked what was running in background |